Fix parsing of decimal numbers in non-English locales (#1273)

mirror-service/src/main/java/org/dependencytrack/vulnmirror/datasource/nvd/NvdToCyclonedxParser.java

@@ -64,6 +64,7 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
@@ -305,7 +306,7 @@ private static List<VulnerabilityRating> parseCveImpact(Metrics metrics) {
                 CvssV2Data cvss = baseMetric.getCvssData();
                 Optional.ofNullable(cvss)
                         .map(cvss20 -> VulnerabilityRating.newBuilder()
-                                .setScore(Double.parseDouble(NumberFormat.getInstance().format(cvss20.getBaseScore())))
+                                .setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(cvss20.getBaseScore())))
                                 .setMethod(ScoreMethod.SCORE_METHOD_CVSSV2)
                                 .setVector(cvss20.getVectorString())
                                 .setSeverity(mapSeverity(baseMetric.getBaseSeverity()))
@@ -322,7 +323,7 @@ private static List<VulnerabilityRating> parseCveImpact(Metrics metrics) {
                 CvssV3Data cvss = baseMetric.getCvssData();
                 Optional.ofNullable(cvss)
                         .map(cvssx -> VulnerabilityRating.newBuilder()
-                                .setScore(Double.parseDouble(NumberFormat.getInstance().format(cvssx.getBaseScore())))
+                                .setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(cvssx.getBaseScore())))
                                 .setMethod(ScoreMethod.SCORE_METHOD_CVSSV3)
                                 .setVector(cvssx.getVectorString())
                                 .setSeverity(mapSeverity(cvssx.getBaseSeverity().value()))
@@ -339,7 +340,7 @@ private static List<VulnerabilityRating> parseCveImpact(Metrics metrics) {
                 CvssV3Data cvss = baseMetric.getCvssData();
                 Optional.ofNullable(cvss)
                         .map(cvss31 -> VulnerabilityRating.newBuilder()
-                                .setScore(Double.parseDouble(NumberFormat.getInstance().format(cvss.getBaseScore())))
+                                .setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(cvss.getBaseScore())))
                                 .setMethod(ScoreMethod.SCORE_METHOD_CVSSV31)
                                 .setVector(cvss.getVectorString())
                                 .setSeverity(mapSeverity(cvss.getBaseSeverity().value()))

mirror-service/src/main/java/org/dependencytrack/vulnmirror/datasource/osv/OsvToCyclonedxParser.java

@@ -50,6 +50,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
@@ -270,7 +271,7 @@ private static List<VulnerabilityRating> parseCvssRatings(JSONObject object, Sev
             var rating = VulnerabilityRating.newBuilder();
             double score = cvss.calculateScore().getBaseScore();
             rating.setVector(vector);
-            rating.setScore(Double.parseDouble(NumberFormat.getInstance().format(score)));
+            rating.setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(score)));
             String type = cvssObj.optString("type", null);
 
             if (type != null && type.equalsIgnoreCase("CVSS_V3")) {

vulnerability-analyzer/src/main/java/org/dependencytrack/vulnanalyzer/client/ossindex/ModelConverterToCdx.java

@@ -35,6 +35,7 @@
 
 import java.text.NumberFormat;
 import java.util.List;
+import java.util.Locale;
 import java.util.Optional;
 
 import static org.cyclonedx.proto.v1_4.ScoreMethod.SCORE_METHOD_CVSSV2;
@@ -116,15 +117,15 @@ private static VulnerabilityRating convertRating(final String cvssVector) {
             return VulnerabilityRating.newBuilder()
                     .setSource(Source.newBuilder().setName("OSSINDEX"))
                     .setMethod(SCORE_METHOD_CVSSV3)
-                    .setScore(Double.parseDouble(NumberFormat.getInstance().format(score.getBaseScore())))
+                    .setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(score.getBaseScore())))
                     .setVector(cvss.getVector())
                     .setSeverity(convert(normalizedCvssV3Score(score.getBaseScore())))
                     .build();
         } else if (cvss instanceof CvssV2) {
             return VulnerabilityRating.newBuilder()
                     .setSource(Source.newBuilder().setName("OSSINDEX"))
                     .setMethod(SCORE_METHOD_CVSSV2)
-                    .setScore(Double.parseDouble(NumberFormat.getInstance().format(score.getBaseScore())))
+                    .setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(score.getBaseScore())))
                     .setVector(cvss.getVector())
                     .setSeverity(convert(normalizedCvssV2Score(score.getBaseScore())))
                     .build();

vulnerability-analyzer/src/main/java/org/dependencytrack/vulnanalyzer/client/snyk/ModelConverterToCdx.java

@@ -42,6 +42,7 @@
 import java.util.Comparator;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.function.Predicate;
@@ -215,7 +216,7 @@ private static VulnerabilityRating convert(final Severity severity) {
                     default -> SEVERITY_UNKNOWN;
                 })
                 .setMethod(determineScoreMethod(severity))
-                .setScore(Double.parseDouble(NumberFormat.getInstance().format(severity.score())))
+                .setScore(Double.parseDouble(NumberFormat.getInstance(Locale.US).format(severity.score())))
                 .setVector(severity.vector())
                 .build();
     }